What Is Considered Personal Data Under GDPR?

Have you looked around for a definitive list of attributes considered personal data by the GDPR? If you have a database, have you had difficulty working out what is covered and what isn’t, or has someone else asked you what is considered personal data and you are unsure?

Well, hopefully no longer. In this short video, we discuss what the GDPR says, how you can decide whether what you have is personal data, and what it means for your GDPR implementation plans.

The General Data Protection Regulation (GDPR) comes into force on May 25, 2018, regulating the processing and movement of personal data of any person who resides in the 28 countries of the European Union. Companies don’t have long to work out what data we have that is covered.

Skyhigh has published multiple documents around GDPR, including a 68-page book. and many background documents, including how cloud computing can be managed to reduce risk of breaking the regulation. All are now available in one place in our GDPR resource center.

The GDPR: An Action Guide for IT

Sam: Can you explain what is and what isn’t personal data as far as the GDPR is concerned?

Nigel: I get asked this question a lot, it is difficult to answer because wherever you look there isn’t a definitive list

Sam: Oh, well, can you give me a list of fields I need to check for in my databases to see whether the data I have is covered?

Nigel: Well, it’s not quite as easy as that.

Sam: Why not? I know regulations such as PCI DSS, this defines the way payment card data has to be controlled and I’d like a simple list of all types of personal data for GDPR, can you give me a list please?

Nigel: Well, it’s not quite as easy as that. GDPR defines personal data as any information relating to an already identified individual or that can identify an individual either directly or indirectly. Does that help?

Sam: Not completely, so is a person’s name considered personal information?

Nigel: Yes.

Sam: Great, can you give me the rest of the list?

Nigel: Well, it’s not quite as easy as that. The GDPR does give some examples of identifiers; such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sam: A quick aside, what is a natural person?

Nigel: Someone who is alive and lives in the EU.

Sam: So not dead people then?

Nigel: No, dead people’s data can be used without problems.

Sam: OK, so I still don’t have a list – why isn’t there a list?

Nigel: The definition is purposefully not an exhaustive list, because if there was a list it might get out of date as new data types are invented. So, you need to decide if someone defines a specific person and if so, it is personal data.

Nigel: There you go, that’s the right process, you are now defining what in your system is personal data, that’s what you need to do.

Sam: OK, I still think it would be easier if they produced a list.

Nigel: Let’s come at it from another angle. There are driving laws in every country that include speeding, not running red lights or using the phone while driving and they are specific.

Sam: That’s good – let’s get specific

Nigel: But there are also laws that are more general, for example dangerous driving, being dangerous is a value-based judgement, depending on circumstances; speed, etc – its about danger, not a list of specific things.

Nigel: OK, let’s try another example and you’ll see the dilemma. If the company you work for provides all employees with mobile devices to perform their function and these are tracked, that might or might not be personal data.

Sam: Really? Why do you say “might or might not”?

Nigel: If each day every employee picks up a new device, uses it for that day and the tracking is within the building simply to change the air conditioning settings due to the number of employees in a certain area, nothing is stored, nothing is correlated with any other data and the unit is left behind and a new one picked up the following day, you could argue that there is no personal data there.

Sam: OK, I sense a “but” coming on.

Nigel: But, if those devices are taken home and still tracked and the company collects data on the device location 24/7, then using the data on employee home addresses each device then uniquely identifies an employee and …

Sam: I get it, now it is personal data.

Nigel: You got it. Going back to the definition, it also talks about profiling – the collection of various aspects that taken together may identify an individual person. As soon as the data you have collected can identify a person, it is considered personal data.

Sam: OK, so I need to review all of my data and if it can identify someone, then it is personal data and if it cannot, then it isn’t at the moment. However in the future if that information taken with other information CAN identify an individual, then all of a sudden it becomes personal data.

Nigel: Bingo

Sam: Let me give you an example and see if I’ve got it. I have bulk data on the TV shows people watch, I also have data on their ages and the phones that they use because I used an app to collect that data but I didn’t ask for any other data from them. If I then start collecting data on the type of car that they drive I might now start having personal information; as if there’s only one person aged 94 who watches Game of Thrones, drives a Maserati and uses a Windows Phone in my database, then I know who he is.

Nigel: Yes, I think that the 94 year old, Maserati-driving Windows Phone user watching Game of Thrones is pretty unique and specific. That’s now personal data!